Proxy prototype chain security issue |
|||||
Issue descriptionAlthough the issue in 653555 is not quite accessible as such in the current version of V8, because Object.prototype.__proto__ is frozen, it is still possible to overwrite a middle portion of the prototype chain, splicing in a has trap, as objects like Window.prototype are not immutable prototype exotic objects. Therefore, it is important to either implement immutable prototype exotic object for the built-in object prototype chain, or put in a quick has trap workaround.
,
Oct 26 2016
Do you have a repro which we could feed to Clusterfuzz?
,
Oct 26 2016
I haven't written up a repro; I was thinking of focusing testing on verifying that the prototype chain is actually immutable. Do you think it's important to have an automated test to demonstrate the full SOP violation? This bug results in a violation of the same-origin policy, not in a crash, so I'm not sure what ClusterFuzz would do with it.
,
Dec 12 2016
,
Dec 13 2016
,
Mar 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by littledan@chromium.org
, Oct 26 2016